Android Browser Security--What You Haven't Been Told

Surprisingly, JellyBean does include the latest TLSv1.2 encryption protocol, but it is disabled by default. There is a procedure to enable it that a developer must follow to secure an application with this feature. A few of the browsers mentioned above have done so, but many have not, either out of ignorance or sloth. There are extensive options for detailed cipher control that can be used to pass more of the Qualys SSL Labs tests with the standard WebKit (by disabling SSLv3, RC4, export ciphers and so on), but none of the tested "rebadged-WebKit" browsers listed above have done so (likely as no best-practice details the procedures).

Beginning with Android 2.3 Gingerbread, Google made the surprising decision to alter the preferred cipher order, switching to RC4-MD5 from Android 2.2 Froyo's AES256-SHA1. Although it appears that this was done to mirror the Java standards, the impact is described as "a sign of horrible ignorance, security incompetence or a clever disguise for an NSA-influenced manipulation". This flaw remained in place for the initial Android JellyBean 4.1 release, although it appears to have been corrected by release 4.3.

Moving onward to third parties, the CM Browser application specifically advertises that it is "Secure: Malicious & Fraud Protection" with the "#1 antivirus engine...which can protect you from malicious threats." Despite these claims, its use of the WebKit system exposes it to all the problems of the older platforms. The Safe Browser advertises anti-spyware/-virus, but the SSL test results surely negate any dubious benefit from a malware host list. The Ghostery browser appears to be available as a plugin for Firefox—use it in this manner for better encryption support.

Opera Mini deserves special mention. In the default configuration, the Qualys SSL scanner detects the "Presto" rendering engine, not WebKit, and it passes all of the security tests. However, if the "data savings" setting is switched from "extreme" to "high", then WebKit is detected (not Presto), and all of the tests fail. It appears that, while Presto is active, all of Opera Mini's browser traffic is routed through Opera's servers for pre-rendering and compression. This is deceptive, so Opera Mini's failing grade is reported here.

All of the browsers tested were free, but some have "ad-free/pro" versions that must be purchased. Be sure to test via the Qualys SSL scanner before paying for any Android browser to avoid purchasing a failure.

This problem does not end with browsers. A number of applications will render web pages as a small subset of their function, and those rendered pages also are unsafe. For example, the Tinfoil for Facebook application has an option to "Open links inside app". Those are opened with the system WebKit. Banking, securities and finance apps may well do the same. If you run an Android app that handles sensitive data, ask the developers if they use WebKit/WebView. If so, do not use it on Android 4.4 or below.

Safe Harbor

From the web browsers above that pass all standards tests, Google Chrome likely has the largest installed base, as it is bundled on many Android devices when they are sold. Many will be tempted to use it as their secure browser. This is likely the wrong choice, for a number of reasons:

  • Although Chrome allows malware blocking as an extension in other operating systems, this feature has been removed from the Android version. Google has not stopped with merely denying this single feature in Chrome, but has gone further and removed third-party malware/adblock applications from the Play store, further endangering the Android community. Such a move demonstrates clearly that advertising telemetry is more important than security for the Android architects.

  • Google Chrome is (partially) closed source, and users have no idea what it might be harvesting when it is installed and in use, especially on the Android platform where Google likely feels a sense of entitlement.

  • Instead of Chrome, it is possible to load the open-source Chromium browser on Android (to which Google adds closed-source components prior to distribution). The getChromium application on F-Droid can install this precursor browser. Still, Chromium lacks malware filters.

It's plain that the safest browser on Android should be open source, include malware block capability, receive regular updates and not be based on WebKit in any way to ensure that it does not clandestinely utilize vulnerable Android components. The obvious browser that meets these qualifications is Firefox. This is not to imply that Firefox is a perfect browser. It famously lacks a sandbox, which has not helped its reputation. However, it is far better than the majority of its peers on Android. It also has a large extensions library that includes several malware/adblock options, which Google has confirmed will never come to Chrome for Android, which might be for the best, as criminals have been soliciting Chrome extension app authors to abuse Chrome users.

To address other Android components that present a danger to safe usage, consider the following:

  • /system/lib/libstagefright.so — this library has been compromised in attacks transmitted by web pages and media sent by MMS. Some have suggested that Firefox is not vulnerable to StageFright exploits.

  • /system/lib/libc.so — the core standard library for the C programming language was taken largely from OpenBSD, then neglected for years. Recent update efforts by the maintainers expose the sad state to which the code had fallen: "I've seen what a mess things were when we diverged (and how many bugs went unfixed in Android despite having been fixed for years upstream)."

  • The Linux kernel itself — more a demonstration of policy than security, Google's source contribution to the kernel for Android was erased by a kernel maintainer who announced the reason why: "In short, no one cared about the code, so it was removed". For a definitive kernel security weakness that, for many users, will never be patched, the example of Pinkie Pie's Towelroot is the best known. This flaw allows any application to gain root privilege on some KitKat devices and many earlier versions.

______________________

Charles Fisher has an electrical engineering degree from the University of Iowa and works as a systems and database administrator for a Fortune 500 mining and manufacturing corporation.